Naughty GreaseMonkey

Looks like some major ’sploits have been identified for GreaseMonkey:

“…In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.”

(From [Greasemonkey] greasemonkey for secure data over insecure networks / sites thread on GreaseMonkey developer list)

The general agreement on the list is to totally disable or uninstall GM for the time being… Eeek.

Share and Enjoy:
  • del.icio.us
  • Google
  • StumbleUpon
  • Digg
  • Ma.gnolia
  • Facebook
  • Sphinn
  • Mixx
  • Propeller
  • RawSugar
  • Reddit
  • SphereIt
  • TwitThis

About this entry

You’re currently reading “Naughty GreaseMonkey,” an entry on :Ben Metcalfe Blog

Published:
07.19.05 / 6pm
Category:
News